Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
-
Size
136KB
-
MD5
44dbf53170b964b9da3f2bca8dad30c0
-
SHA1
a7f03af3ae3decfba18e38d915252bbb9ff79b4c
-
SHA256
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891
-
SHA512
7076a0cdd5ce698eb9532ad3adc23491f771e3a9f00c6e8e3a674ce54fe63e3e461a08da220e63debc372ede25d9d144e9918c7a8acf4fa16bf4af7bd94fbef4
-
SSDEEP
1536:S4+aEpOwd/VxDy/5X2++jCx3kdjKsPGR7ehp3vmLvsZIZwTcNhLx8bZJLtgliY4V:obpDCw1p3vmLvsZIaVvq7TW
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2780 avscan.exe 2748 avscan.exe 2520 hosts.exe 2564 hosts.exe 784 avscan.exe 1696 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend REG.exe -
Loads dropped DLL 5 IoCs
pid Process 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 2780 avscan.exe 2564 hosts.exe 2564 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
pid Process 3052 REG.exe 2232 REG.exe 1220 REG.exe 3068 REG.exe 768 REG.exe 1564 REG.exe 308 REG.exe 2972 REG.exe 1540 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2780 avscan.exe 2564 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 2780 avscan.exe 2748 avscan.exe 2564 hosts.exe 2520 hosts.exe 784 avscan.exe 1696 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1564 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1564 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1564 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1564 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2780 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 30 PID 1688 wrote to memory of 2780 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 30 PID 1688 wrote to memory of 2780 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 30 PID 1688 wrote to memory of 2780 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 30 PID 2780 wrote to memory of 2748 2780 avscan.exe 31 PID 2780 wrote to memory of 2748 2780 avscan.exe 31 PID 2780 wrote to memory of 2748 2780 avscan.exe 31 PID 2780 wrote to memory of 2748 2780 avscan.exe 31 PID 2780 wrote to memory of 2848 2780 avscan.exe 32 PID 2780 wrote to memory of 2848 2780 avscan.exe 32 PID 2780 wrote to memory of 2848 2780 avscan.exe 32 PID 2780 wrote to memory of 2848 2780 avscan.exe 32 PID 1688 wrote to memory of 2784 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 33 PID 1688 wrote to memory of 2784 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 33 PID 1688 wrote to memory of 2784 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 33 PID 1688 wrote to memory of 2784 1688 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 33 PID 2784 wrote to memory of 2520 2784 cmd.exe 36 PID 2784 wrote to memory of 2520 2784 cmd.exe 36 PID 2784 wrote to memory of 2520 2784 cmd.exe 36 PID 2784 wrote to memory of 2520 2784 cmd.exe 36 PID 2848 wrote to memory of 2564 2848 cmd.exe 37 PID 2848 wrote to memory of 2564 2848 cmd.exe 37 PID 2848 wrote to memory of 2564 2848 cmd.exe 37 PID 2848 wrote to memory of 2564 2848 cmd.exe 37 PID 2848 wrote to memory of 2728 2848 cmd.exe 39 PID 2848 wrote to memory of 2728 2848 cmd.exe 39 PID 2848 wrote to memory of 2728 2848 cmd.exe 39 PID 2848 wrote to memory of 2728 2848 cmd.exe 39 PID 2784 wrote to memory of 2812 2784 cmd.exe 40 PID 2784 wrote to memory of 2812 2784 cmd.exe 40 PID 2784 wrote to memory of 2812 2784 cmd.exe 40 PID 2784 wrote to memory of 2812 2784 cmd.exe 40 PID 2564 wrote to memory of 784 2564 hosts.exe 38 PID 2564 wrote to memory of 784 2564 hosts.exe 38 PID 2564 wrote to memory of 784 2564 hosts.exe 38 PID 2564 wrote to memory of 784 2564 hosts.exe 38 PID 2564 wrote to memory of 2940 2564 hosts.exe 41 PID 2564 wrote to memory of 2940 2564 hosts.exe 41 PID 2564 wrote to memory of 2940 2564 hosts.exe 41 PID 2564 wrote to memory of 2940 2564 hosts.exe 41 PID 2940 wrote to memory of 1696 2940 cmd.exe 43 PID 2940 wrote to memory of 1696 2940 cmd.exe 43 PID 2940 wrote to memory of 1696 2940 cmd.exe 43 PID 2940 wrote to memory of 1696 2940 cmd.exe 43 PID 2940 wrote to memory of 1060 2940 cmd.exe 44 PID 2940 wrote to memory of 1060 2940 cmd.exe 44 PID 2940 wrote to memory of 1060 2940 cmd.exe 44 PID 2940 wrote to memory of 1060 2940 cmd.exe 44 PID 2780 wrote to memory of 308 2780 avscan.exe 45 PID 2780 wrote to memory of 308 2780 avscan.exe 45 PID 2780 wrote to memory of 308 2780 avscan.exe 45 PID 2780 wrote to memory of 308 2780 avscan.exe 45 PID 2564 wrote to memory of 2972 2564 hosts.exe 47 PID 2564 wrote to memory of 2972 2564 hosts.exe 47 PID 2564 wrote to memory of 2972 2564 hosts.exe 47 PID 2564 wrote to memory of 2972 2564 hosts.exe 47 PID 2780 wrote to memory of 3052 2780 avscan.exe 51 PID 2780 wrote to memory of 3052 2780 avscan.exe 51 PID 2780 wrote to memory of 3052 2780 avscan.exe 51 PID 2780 wrote to memory of 3052 2780 avscan.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1696
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:1060
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:2972
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1540
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:768
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1220
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:2728
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:308
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3052
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3068
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5413a908a2749b133288e0118b2f35ce6
SHA1e2160c7b9e7efbae944d2634b49526a47a60fd41
SHA2564fb8e97d8040e4c0333db19b17c1b25f7047f93c097f81494dd9fb92ed4ebc37
SHA51218ac4dfa016235532df2625014a84348def86b52c277bf11ffbd423cdd704e50ec406388a51d4bc03d50ef9951c9ba4dec0b89146086e35d1da5fc79e76db332
-
Filesize
456KB
MD5d0b12d5451f835decd0a7fb43df00059
SHA168e32c482bc4b41d69e78545c794fd2db8b3855d
SHA2568a6ca68ee99f84b0a610de545091f2fd2516eecb7babfba2a3620c0178c1a171
SHA512dcbd01368fcfd3d8d2858eb3274720a5bdf808be81a64766232d0ee5ea1224399f65688534e0f2dac445031af138d41e7c13a165fa5add02a010564cd96ca037
-
Filesize
592KB
MD58592f83f38319420e37971c537d1201a
SHA1baacdfc4095d3b30eb4a4372820d7d6c693452f7
SHA2561a6682988d7a6b8eba67d75f57b278e6507078dbeeaf007175d735bf5d866cbd
SHA51232ff760e660ddf898ee8150ab3db4093250ba52fdb5d3ba377892fdc41f156d2c0d3ee0dd09357f29db117cde7231f98791a9249573c5c2b5c1b672e1fd8acdb
-
Filesize
728KB
MD5509df21a9e5e0f6ed190de6e2f71763f
SHA13552770594fff4a704e17403e994806c1801823a
SHA2560a3e80a596901fe18e6d16a6fb689cfaa4ca1a06f97d721c76a47f54b5615d82
SHA5126652d24a2942576758c3828322645a804e2f15203275eb2f1d50fab7bb17c5a2ae85921c7aaf070400db3897b73f68275453d5f4cc9f45097b0bc0b88db6749b
-
Filesize
864KB
MD56a9982eda6791a4871e1f7671c1a4521
SHA15415ff7bfd9d90f2442b19ef8d8ac1ca9ae5bafa
SHA2562df6d1fade3ff094dc08a4b5b547a1f32d0f26b6c67091f2f6d5d73710cbd1bc
SHA51276d2c1e5ee89c13a5254c26a9cf87cecf12134b5f459eb5d520a4f744300481133667f8f6f0f12e0aef80217acb176e9f4d36b3d67211bdc6450fa744a8d4cc2
-
Filesize
1.1MB
MD57bd365e7c1fa448643e6fb34580ce230
SHA18dae7d4248fdadf053f50d341e17c23ffc8cf31c
SHA25637d3c96d6cd4d07dcb73a32f239caaf1e73a62aa7d80663648c5dff5c843fd0b
SHA512679a5524a988248e275a1cb7633e427b7b91d402e515712e3fc2f176ce103a94bec31ec6a54342bb70fec6b5c29ac369662352dc5a7a765d853ab24b52df1a92
-
Filesize
1.1MB
MD56e2bd7ab748c5767936cb689a0baac36
SHA120a8243288b388b5986d85b3fd083b5ce01a326a
SHA2567618af0d1f217c321fdfdcf6f27ae7f20a7dcac897141e36d33b20dca01cf4bd
SHA5127f25af9d342075c6cdb8f7dab696f305e1aae11b2ec2b971f22c6be29202a9bda8ac0724e44e716a5512616fabccb3aad0911d009ea2849559cfb36e1786e8d7
-
Filesize
195B
MD5f6c84b0b807d9c88dadd87289cbd9a71
SHA10ce2e8163c8b9bf6e56f6d819084d876821f8002
SHA25673601c28154e4bbfcc10d4632aa75447ee9c97aebc599b9128fb0024af8939ac
SHA512bf68dd033feba173231c07ca6beeba95c464d8ee226a957066901eccecfd771f457b59b475313fedd56856958fc575c14241bada16919b2400e6aa105d13849c
-
Filesize
136KB
MD573158f7a6a769b4e715e5b24de075299
SHA1e469af2d1d21dfebfb1662bfb5fbdfa164e3e581
SHA2564165eb28aa94d3c28279a07e1d8fc1b83a40d5393b1ff3fe69ae8ba52957fce6
SHA5126db24e68b11728a8147de87133f76fd6270e8cb0032a14d2416e15cdb338c5ff9cf28d7c23ad2ace6defc412eecadbe0e827d0bc5a6b91a840519f74306026f5
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
Filesize
136KB
MD5a93007fde3976ec7e44c525bacc7069c
SHA1fc33a8700145f93d0ce54f310cf3b8c355125238
SHA2566acfa6368c62f8fc318462b013cd9fcec781be03386dc2f5bef41cb2ba3fa6d8
SHA51273e807f44cd9d8c588951a20ab56bb0c3efd3932b363517bafa69a7c28d4b0aafd08afd445c4bf75478c57065ae0614f75d0b767405a8d758aad1db6c33375f6